Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons

Published: 2022-08-28
Last Updated: 2022-08-28 11:24:43 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I updated my Cobalt Strike beacon analysis tool to deal with false positives in Windows system's memory dumps.

When my tool is given a process memory dump or a system's full memory dump, it will search for the header of a beacon configuration.

This often gives false positives in full memory dumps. I have now introduced a sanity check (option -S), to hide these false positives.

Here is a short howto video.


Didier Stevens
Senior handler
Microsoft MVP

Keywords: 1768 cobalt strike
0 comment(s)


Diary Archives